Appearance
Trigger a Manual Discovery
AttackLens runs discovery automatically on a recurring schedule. However, you can trigger a discovery run manually at any time -- for example, after making infrastructure changes that you want reflected immediately.
INFO
Requires Admin role or higher.
When to Trigger Manually
Manual discovery is useful in the following situations:
- After provisioning new resources: You deployed new VMs, databases, or other infrastructure and want them to appear in AttackLens immediately.
- After modifying security configurations: You changed firewall rules, IAM policies, encryption settings, or other security-relevant configurations and want to verify the changes.
- After decommissioning resources: You deleted or shut down resources and want the asset inventory to reflect the current state.
- Before running a posture evaluation: You want to ensure the evaluation is based on the most current resource data.
- During an incident investigation: You need to compare the current state of your environment with a previous snapshot.
- After updating adapter credentials: You rotated secrets or access keys and want to verify the new credentials work by running a full discovery.
How to Trigger a Manual Sync
From the Adapter Detail Page
- Navigate to Discovery > Adapters.
- Click on the adapter you want to sync.
- On the adapter detail page, click Test Connection.
Testing the connection validates that the stored credentials are still valid and that the expected permissions are in place. While this does not trigger a full discovery run, it confirms the adapter is ready for the next scheduled run.
TIP
The Test Connection action validates credentials in real time. Use it to quickly verify that your adapter configuration is correct before waiting for the next scheduled discovery run.
Scheduled Discovery
Discovery runs are managed by the platform and execute on a regular schedule for all active adapters. The schedule is configured at the platform level and is not adjustable per adapter.
Each scheduled run:
- Iterates through all active adapters.
- Authenticates to each cloud provider using the stored credentials.
- Enumerates all resources in scope.
- Creates new snapshots for every discovered resource.
- Marks the previous snapshots as historical.
- Synchronizes discovered resources into the asset inventory.
What Happens During a Discovery Run
When discovery executes for an adapter, the following steps occur:
1. Authentication
AttackLens decrypts the stored credentials and authenticates to the cloud provider. If authentication fails, the run is aborted and the error is recorded on the adapter.
2. Resource Enumeration
The adapter queries the provider's management APIs for all supported resource types. For multi-region providers (AWS, Azure), each configured region is queried in sequence.
3. Deep Property Collection
For each discovered resource, AttackLens collects every property exposed by the provider's API. This includes configuration details, security settings, network associations, IAM bindings, and tags.
4. Snapshot Creation
Each discovered resource is stored as a new snapshot. The previous snapshot for the same resource is marked as historical.
5. Asset Synchronization
Discovered resources are mapped to assets in the asset inventory:
- New resources create new assets.
- Existing resources update their corresponding assets.
- Resources that are no longer detected are flagged.
6. Downstream Processing
After synchronization, AttackLens triggers:
- Policy and ruleset re-evaluation against updated assets.
- Vulnerability correlation for any newly discovered software or services.
- Attack graph recomputation to reflect the current environment state.
Monitoring Discovery Progress
After a discovery run starts, you can monitor its progress:
- Navigate to the adapter detail page.
- The Last Sync timestamp and Last Sync Status fields update when the run completes.
- If the run encounters an error, the Last Sync Error field shows the error message.
Discovery Timing
Discovery run time depends on several factors:
| Factor | Impact |
|---|---|
| Number of resources | More resources take longer to enumerate and collect. |
| Number of regions | Multi-region accounts require querying each region separately. |
| Provider API rate limits | AttackLens respects provider rate limits, which may slow down large accounts. |
| Resource complexity | Resources with many nested properties (e.g., AKS clusters, RDS instances) take longer to collect. |
Typical discovery times:
| Scenario | Estimated Time |
|---|---|
| Small account (< 100 resources, 1 region) | 1-2 minutes |
| Medium account (100-500 resources, 2-3 regions) | 3-5 minutes |
| Large account (500-2000 resources, 5+ regions) | 5-15 minutes |
| Very large account (2000+ resources, all regions) | 15-30 minutes |
Troubleshooting Failed Runs
If a discovery run fails, check the adapter detail page for the error message. Common issues:
| Error | Cause | Solution |
|---|---|---|
| Authentication failed | Credentials expired or revoked | Update credentials on the adapter edit page and test the connection |
| Access denied | Required permissions were removed | Re-assign the necessary roles/policies in the cloud provider |
| Rate limited | Too many API calls | Wait for the next scheduled run; the provider's rate limit will reset |
| Timeout | Network issue or very large account | Check network connectivity; consider narrowing the region scope |
Next Steps
- View discovery snapshots to inspect the results of a discovery run.
- Manage adapters to update adapter configuration.
- Understand discovery for a conceptual overview of how discovery works.